Sign in with
Sign up | Sign in
Your question

LAN Manager hash

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
December 6, 2004 11:47:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

I want to enable ""Do not store LAN Manager hash value on next password
change"
I read that I will need to change the password on all accounts after
enabling this setting.
Is the meaning is that all my users will get notification that they need to
change their passwords? or its only recommendation?

Thanks In Advanced!

Nir B

More about : lan manager hash

Anonymous
a b 8 Security
December 6, 2004 11:47:20 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

This is only recommendation. There will be no user notification after you
enable the policy.

If your password policy is set to e.g. users must change password after
every 70 days, you know that after 70 days all user's password will be
stored as NT Hash. Don't forget to change e.g. service account passwords
(for e.g. backup). These accounts are usually set to "password never
expires". Beside that, they usually have higher privileges on the network,
so it is even more important to get rid if LM hashes.

Mike

"Nir B" <nir@icomverse.com> wrote in message
news:o Y58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
> Hi All,
>
> I want to enable ""Do not store LAN Manager hash value on next password
> change"
> I read that I will need to change the password on all accounts after
> enabling this setting.
> Is the meaning is that all my users will get notification that they need
> to
> change their passwords? or its only recommendation?
>
> Thanks In Advanced!
>
> Nir B
>
>
Anonymous
a b 8 Security
December 6, 2004 12:10:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

10X

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:#8a8eB22EHA.3408@tk2msftngp13.phx.gbl...
> Hi,
>
> This is only recommendation. There will be no user notification after you
> enable the policy.
>
> If your password policy is set to e.g. users must change password after
> every 70 days, you know that after 70 days all user's password will be
> stored as NT Hash. Don't forget to change e.g. service account passwords
> (for e.g. backup). These accounts are usually set to "password never
> expires". Beside that, they usually have higher privileges on the network,
> so it is even more important to get rid if LM hashes.
>
> Mike
>
> "Nir B" <nir@icomverse.com> wrote in message
> news:o Y58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
> > Hi All,
> >
> > I want to enable ""Do not store LAN Manager hash value on next password
> > change"
> > I read that I will need to change the password on all accounts after
> > enabling this setting.
> > Is the meaning is that all my users will get notification that they need
> > to
> > change their passwords? or its only recommendation?
> >
> > Thanks In Advanced!
> >
> > Nir B
> >
> >
>
>
Related resources
Anonymous
a b 8 Security
December 6, 2004 12:10:57 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You can consider configuring all the accounts to "require user to change
password at next login." This can even be done with a script, using
CUSRMGR.EXE [doesn't come with windows, is part of the Windows Resource Kit]
or with a free ADSI .VBS script that can be found in google, if you are
using Windows 2000 or 2003. I would avoid setting this value on service
accounts, and this value can cause problems for users that typically log in
using RAS or VPN or Internet or any other method besides the windows logon
by pressing CTRL-ALT-DELETE while physically attached to your internal
network.


"Nir B" <nir@icomverse.com> wrote in message
news:e%23qi9K22EHA.2196@TK2MSFTNGP14.phx.gbl...
> 10X
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:#8a8eB22EHA.3408@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > This is only recommendation. There will be no user notification after
you
> > enable the policy.
> >
> > If your password policy is set to e.g. users must change password after
> > every 70 days, you know that after 70 days all user's password will be
> > stored as NT Hash. Don't forget to change e.g. service account passwords
> > (for e.g. backup). These accounts are usually set to "password never
> > expires". Beside that, they usually have higher privileges on the
network,
> > so it is even more important to get rid if LM hashes.
> >
> > Mike
> >
> > "Nir B" <nir@icomverse.com> wrote in message
> > news:o Y58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
> > > Hi All,
> > >
> > > I want to enable ""Do not store LAN Manager hash value on next
password
> > > change"
> > > I read that I will need to change the password on all accounts after
> > > enabling this setting.
> > > Is the meaning is that all my users will get notification that they
need
> > > to
> > > change their passwords? or its only recommendation?
> > >
> > > Thanks In Advanced!
> > >
> > > Nir B
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
December 6, 2004 9:17:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Just to add that you may want to force sensitive accounts such as
administrators to change their passwords right away and let other users do
at their next interval. Additionally you would want to consider enabling
password complexity for the domain if you have not done such already and
disabling storage of lm hash for your non dc servers to make it harder to
crack local administrator accounts on those computers. --- Steve


"Nir B" <nir@icomverse.com> wrote in message
news:o Y58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
> Hi All,
>
> I want to enable ""Do not store LAN Manager hash value on next password
> change"
> I read that I will need to change the password on all accounts after
> enabling this setting.
> Is the meaning is that all my users will get notification that they need
> to
> change their passwords? or its only recommendation?
>
> Thanks In Advanced!
>
> Nir B
>
>
!